Customers’ Personal Data Protection

Company Notice
on Customers’ Personal Data Protection
under Personal Data Protection Policy of Krungthai Card Public Company Limited

1. Scope and Purpose of This Notice

Krungthai Card Public Company Limited (the "Company") recognizes the importance of protecting the Personal Data of customers ("You"), who are a data subject under the Personal Data Protection Act B.E. 2562 (2019) and the Company's Personal Data protection policy. The Company has prepared this Notice to explain how we collect, use, and disclose Personal Data, or carry out any processing of your Personal Data, as well as to inform you of your rights under Personal Data Protection Laws.

2. Definitions

Unless specifically stated otherwise, the following terms have these meanings:

3.Sources of Personal Data        

The Company may obtain your Personal Data through the following channels:

3.1 The Company receives Personal Data directly from you, by collecting from various activities such as applying for and/or using the Company's Financial Products and/or services, contacting us to inquire about information, notifying us of changes to your information, participating in marketing activities, through the Company's service channels and/or other contact channels, such as KTC Touch service points, websites, applications, independent financial product advisors, the Company's social media, email, customer service center, Short Message Service (SMS), telephone, questionnaires, meetings, seminars, events, business cards, etc.

3.2 The Company receives or accesses your Personal Data from other sources, such as information from companies in the Company's financial business group, card accepting merchants, banks or other financial institutions, business partners, companies that issue Financial Products jointly with the Company, third-party online platforms, credit bureaus, public sources, government agencies, and/or any other persons who have the legal right to disclose your Personal Data to the Company, etc.

4. Your Personal Data That the Company Collects, Uses, and/or Discloses

4.1 Personal Data

The Company may collect, use, and/or disclose your Personal Data, whether in documentary or electronic form, such as:

• Personal data that you provide to the Company in the process of applying for the Company's Financial Products and/or services, such as application forms, application systems, identification documents (such as copies of identification cards, passport copies), supporting application documents (such as employment information, income statements, copies of bank statements, copies of bank account, collateral ownership information and documents), contact information (such as telephone numbers, addresses, email), including Personal Data that you notify us of changes or provide additionally at a later time. In the case of corporate customers, this may include information on directors, shareholders, authorized representatives, agents, and/or coordinators.
• Financial information and transaction data, such as credit information, credit card/debit card numbers, loan account numbers, PromptPay information, credit limits, collateral ownership information or documents, payment history.
• Information related to insurance policies, such as policy numbers, types of selected products, insurance premium payments, beneficiary information, insurance premium payment history, etc.
• Technical, device or equipment data, such as account names for electronic communications or social media, application usage data, computer identification numbers (IP Address or Mac Address), cookies, login information, location data, computer traffic data under computer crime laws, or other information from using websites, applications, or operating systems that you access.
• Other information, such as complaint information, requests for services or exercising rights, communication records or interactions between customers and the Company, audio recordings, information on registration for various activities with the Company, photographs, video recordings, CCTV footage, building/premises access data, court orders published through the Royal Gazette or government agencies, and information related to the Company's legal compliance, such as subpoenas for documentary or physical evidence, receivership orders, etc.
• Information that the Company receives from your participation in the Company's marketing activities and/or activities jointly organized by the Company.

4.2 Sensitive Personal Data

The Company may collect, use, and/or disclose your Sensitive Personal Data, whether in documentary or electronic form, such as:

• Religious and racial information as shown on your identification card, for use in identity proofing and authentication when applying for and/or using the Company's Financial Products and/or services.
• Biometric data, such as facial recognition data, fingerprint data, for use in identity proofing and authentication when applying for and/or using the Company's Financial Products and/or services.
• Disability information, medical information, and/or health information, for use as information when applying for and/or using the Company's Financial Products and/or services, such as consideration of insurance underwriting by insurance companies.

The Company will collect, use, and/or disclose your Sensitive Personal Data only to the extent necessary to achieve the purposes specified above, and when the Company has obtained your explicit consent, and/or when the Company has a necessity for the establishment of legal claims, compliance with or exercise of legal claims, or defense against legal claims, and/or when it is necessary to comply with laws to achieve purposes related to important public interests, with appropriate measures in place to protect your fundamental rights and interests, and/or for other purposes as permitted by law.

4.3 Personal Data of Third Parties

In cases where you need to provide Personal Data and/or Sensitive Personal Data of third parties, such as information about your spouse, family members, emergency contacts, insured persons, beneficiaries, or any other persons, to the Company for collection, use, and/or disclosure, for the benefit of considering your application and/or use of the Company's products and/or services, contact purposes, compliance with laws and/or regulations of regulatory authorities, you warrant that such data subjects have been informed about this Notice and that you have obtained consent from such persons as required by Personal Data Protection Laws, and you warrant that you will verify the accuracy and completeness of the Personal Data you provide to the Company and will notify the Company when there are changes to such Personal Data.

4.4 Personal Data of Minors or Quasi-Incompetent Persons

The Company will collect, use, and/or disclose Personal Data of minors or quasi-incompetent persons only when the Company has obtained consent from the person with parental authority, guardian, or curator, or in cases where the Company can rely on other legal basis without requiring consent.

5. Purposes and Legal Bases for Personal Data Processing

The Company will collect, use, and/or disclose your Personal Data only to the extent necessary, relying on the legal basis for processing your Personal Data as prescribed by Personal Data Protection Laws, to achieve the purposes specified below. The Company may rely on one or multiple legal basis for processing your Personal Data.

5.1 Legal Basis of Contract Performance, where you are a party to the contract or to take steps at your request prior to entering into a contract, to carry out purposes such as:

• Registration and/or application for the Company’s Financial Products and/or services, such as consideration and verification of qualifications and notification of approval results, identity proofing and authentication, verification of the accuracy of information or documents.
• Provision of Financial Products and/or services to you, including development and management of such products and/or services, such as designing Financial Products and/or services, granting product benefits, delivering/transferring loans, receiving payments, issuing receipts, notifying debt payments or product renewals, including risk management, debt collection and enforcement of contractual obligations, legal rights, asset tracing and seizure, taking possession of assets, auctioning or selling assets, or similar activities.
• Verification of information on directors, authorized representatives, agents, including coordinators of corporate customers.
• Granting benefits and/or prizes under sales promotions that you agree to participate in with the Company.
• Any other actions as requested by you and/or under contracts you have with the Company.

If you do not provide such information, the Company may not be able to fully carry out your requests, contracts, and/or provide Financial Products and/or services to you.

5.2 Legal Basis of Legal Compliance, to carry out purposes such as:

• Compliance with laws, regulations, rules, announcements, by-laws, and/or any practices related to the Company's business operations, such as financial institution business laws, securities and stock exchange laws, life insurance laws, non-life insurance laws, Insurance Commission laws, payment system laws, currency exchange control laws, tax laws, anti-money laundering laws, counter-terrorist financing and proliferation of weapons of mass destruction laws, cybersecurity laws, computer crime laws, debt collection laws, consumer protection laws, etc.
• Compliance with court orders, government agency orders, orders from the Company's regulatory authorities, state officials with authority under the law, such as the Bank of Thailand, Office of the Consumer Protection Board, Fiscal Policy Office, Office of the National Anti-Corruption Commission, Office of the Personal Data Protection Committee, Office of Insurance Commission, etc.

This includes laws, regulations, rules, announcements, by-laws, and/or any practices issued under such laws, both currently in force, as may be amended, and/or as may be enacted in the future.

5.3 Legal Basis of Legitimate Interests of the Company and/or other persons or juristic persons, to carry out purposes such as:

• Maintaining security systems for the Company's buildings or premises, such as identity verification and confirmation before entering premises, recording images of your entry and exit from the Company's premises with CCTV cameras, etc.
• Analysis and research to improve and/or develop the Company's products or services.
• Service quality verification, satisfaction surveys and assessments with the use of Financial Products and/or services to improve and/or develop the Company's products or services, such as recording images/audio of your conversations, interviews, completing questionnaires, etc.
• Customer relationship management and/or complaint handling.
• Offering Financial Products and/or benefits that the Company considers may be beneficial and/or match your needs.
• Taking photographs or recording videos of the atmosphere at training sessions, seminars, booths, or other activities that the Company organizes or sponsors, for use in creating media in any format and publishing on the Company's channels, such as websites, social media, and internal email for Company employees.
• Risk management, auditing, and/or internal organizational management, including forwarding to companies in the Company's financial business group for such operations.
• Controlling, preventing, mitigating, or transferring risks that may arise from fraud, cyber threats, default on debt payments or breach of contract, violations of laws (such as anti-money laundering, terrorist financing and proliferation of weapons of mass destruction, offenses against property, life, body, liberty, or reputation, etc.), which includes sharing Personal Data to enhance the operational standards of companies in the financial business group in controlling, preventing, mitigating, or transferring the above risks.

5.4 Legal Basis of Consent, to carry out purposes such as:

• Offering goods, offering benefits, sales promotion, or offering any services of the Company in the Company's financial group or partner companies that are not similar to or related to the products that the Company has, including using and/or disclosing your information for research, statistical compilation, data analysis for use in such purposes.

In any other cases where the Company cannot rely on other legal basis for processing your Personal Data, or in cases where the Company needs to process your Personal Data for other purposes unrelated to the original purposes, the Company will request your consent as required by Personal Data Protection Laws before proceeding on a case-by-case basis. If refusal to give consent or withdrawal of consent may affect you in any matter, the Company will inform you of the impact of not giving consent or withdrawing such consent. Withdrawal of consent will not affect the processing of Personal Data for which you have already given consent in accordance with the laws.

6. Disclosure of Personal Data

The Company may disclose your Personal data to third parties only to the extent necessary for data processing according to contractual responsibilities, or as the Company can rely on other legal basis, or as consented to by you. The Company may send your Personal Data to the following third parties:

• Personal Data processors, agents, contractors, or external service providers related to the provision of the Company's Financial Products and/or services, such as service providers for introduction, solicitation, sales, including delivery of Financial Products to you, meeting management service providers, research service providers, survey service providers, cloud computing service providers, social media service providers, debt collection service providers, payment channel service providers, coordinators for seminar travel, merchant installation service providers, etc.
• The Company's financial business group, financial institutions, insurance companies, business partners and partners that issue products and/or organize sales promotions jointly with the Company, card accepting merchants, merchant banks.
• Insurance companies, insurance agents/brokers, namely Thai Life Insurance Public Company Limited, Prudential Life Assurance (Thailand) Public Company Limited, AIA Company Limited, Cigna Insurance Public Company Limited, Dhipaya Insurance Public Company Limited, Chubb Samaggi Insurance Public Company Limited, Chubb Life Assurance Public Company Limited, Krungthai Panich Insurance Public Company Limited, Allianz Ayudhya Life Assurance Public Company Limited, Hugs Insurance Company Limited, and other insurance companies, insurance agents/brokers that the Company will notify additionally in the future.
• Regulatory authorities and/or government agencies, such as courts, Bank of Thailand, Office of the Securities and Exchange Commission, Office of Insurance Commission, National Credit Bureau Company Limited, Office of the Consumer Protection Board, Fiscal Policy Office, Anti-Money Laundering Office, Revenue Department, Office of the National Anti-Corruption Commission, Legal Execution Department, Ministry of Justice, Royal Thai Police, including any other agencies to which the Company needs to disclose your Personal Data for the necessity of legal compliance and/or orders from government agencies.
• Advisors, experts, and/or auditors, such as auditors, internal/external auditors, tax advisors, legal advisors, credit rating companies, etc.
• Agencies or organizations of which the Company is a member, such as Credit Information Company Limited, National ITMX Company Limited, card network service providers, etc.
• Any juristic person or other person who is a party to a contract or has legal relations with the Company, including any other person who has authority to process your Personal Data. The Company may send or transfer your data abroad to comply with contracts between the Company and you or with other persons or juristic persons for your benefit, or to comply with legal requirements, or for other purposes permitted by Personal Data Protection Laws, provided that the destination country receiving the data must have appropriate security measures as prescribed by Personal Data Protection Laws, or has been determined by the Personal Data Protection Committee to have adequate Personal Data protection, or the agency or organization receiving the data must be inspected and certified by the Office of the Personal Data Protection Committee as having appropriate Personal Data protection measures, unless you have given explicit consent.

7. Use of Cookies and/or Similar Technologies

The Company may collect and use cookies and/or similar technologies when you access the Company's website and/or applications, to enable the Company's website and/or applications to provide services to you, including to enable the Company to remember your usage, preferences, and analyze your interests to improve and develop the performance of the website and/or applications to meet your needs and usage. You can see more details from the "Cookie Notice" at https://www.ktc.co.th/cookie-notice

8. Personal Data Retention Period

The Company will retain your Personal Data only for as long as necessary for the Personal Data Processing purposes specified in this Notice and/or to comply with legal obligations and various regulations, including the establishment of legal claims, compliance with or exercise of legal claims, or defense against legal claims under applicable laws, as follows:

• In cases where you have been approved as a member of the Company's Financial Products, the Company will retain your Personal Data throughout the membership period and for no more than 10 years from the date of termination of your membership.
• In cases where you have not been approved as a member of the Company's Financial Products, the Company will retain your Personal Data for a period not exceeding 3 years from the date of non-approval.

Upon expiration of the Personal Data retention period, or when the Company no longer has the right or cannot rely on a basis for processing your Personal Data, the Company will delete, destroy, or anonymize the Personal Data so that it cannot identify individuals.

9. Rights of Personal Data Subjects

As the data subject, you have rights under Personal Data Protection Laws to take the following actions:

9.1 Right to Withdraw Consent: You have the right to withdraw consent for the processing of Personal Data that you have given to the Company at any time during the period that your Personal Data is with the Company.

9.2 Right to Access Personal Data: You have the right to access your Personal Data and request that the Company make copies of such Personal Data for you, including requesting that the Company disclose the acquisition of Personal Data to which you did not give consent to the Company.

9.3 Right to Rectify Personal Data: You have the right to request that the Company rectify your Personal Data to be accurate, current, and/or complete, and/or not misleading.

9.4 Right to Erase Personal Data: You have the right to request that the Company delete, destroy, or anonymize your Personal Data for reasons prescribed by Personal Data Protection Laws.

9.5 Right to Restrict the Use of Personal Data: You have the right to restrict the use of your Personal Data for reasons prescribed by Personal Data Protection Laws.

9.6 Right to Data Portability: You have the right to transfer your Personal Data that you have provided to the Company to another data controller or to yourself for reasons prescribed by Personal Data Protection Laws

9.7 Right to Object to Personal Data Processing: You have the right to object to the processing of your Personal Data for reasons prescribed by Personal Data Protection Laws.

You may submit a request for the Company to exercise the above rights through the contact channels specified in this Notice. Such request must be made in writing in the form prescribed by the Company. The Company will use its best efforts to carry out your request or explain the consequences that will arise from carrying out your request within 30 days or no more than the period prescribed by laws. However, the Company may refuse to carry out your request in cases where laws permit, and the Company may charge necessary and related expenses for taking action regarding Personal Data as you request.

In cases where you find that the Company or Personal Data processors, including the Company's employees or contractors, violate or fail to comply with Personal Data Protection Laws, you have the right to file a complaint with the Office of the Personal Data Protection Committee.

10. Personal Data Protection Measures

The Company manages Personal Data protection according to the "Information Security Management System Standard (ISO/IEC 27001:2022)" and the "Personal Data Management Standard (ISO/IEC 27701:2019)".

11. Changes to the Personal Data Protection Notice

The Company may review this Notice to ensure compliance with practices, laws, and relevant regulations. If there are any changes, the Company will notify you through the Company's website at https://www.ktc.co.th/pdpa and/or other appropriate channels.

12. Company Contact Channels

In cases where you wish to exercise your data subject rights under this Notice or have questions regarding the Company's Personal Data Processing, you may contact:

Member Service Center: Telephone 02 123 5000
Contact Address: Krungthai Card Public Company Limited, 591 United Business Centre 2 Building, 14th Floor, Sukhumvit 33 Road, Khlong Tan Nuea, Watthana, Bangkok 10110
Email address: Data Protection Officer DataProtectionOfficer@ktc.co.th

If you find that the processing of customer Personal Data does not comply with Personal Data Protection Laws, you may file a complaint with the Office of the Personal Data Protection Committee.

This Notice is effective from November 10, 2025 onwards.